Re: [m0n0wall] can't access to a domain name which is hosted in my LAN

Date:

Tue, 18 Jan 2005 14:19:30 -0700

James W. McKeand wrote:
>>It's worth noting that $20 Linksys boxes have managed to lick this
>>problem due to the user confusion it causes.
>>
>>
>But, would you use a $20 Linksys box for an environment hosting
>multiple domains and web sites? I don't think I would use one (or
>recommend one) for a client that is doing more than sharing a DSL
>connection between a few machines or maybe NATing minor SMTP traffic.
>IMO, the inbound NAT those boxes provide is good for home users to
>play games, not for businesses to host web pages.
>
>
No, I wouldn't suggest using a $20 Linksys box for those users. I
wouldn't even suggest a $20 linksys for my grandmother (at least not if
she wants me to support it), I suggest m0n0wall for her too :)
It's just annoying that m0n0wall doesn't have all of the functionality
of a $20 Linksys router.
>>I've ended up creating a DNS record of *.firewall.example.com (Where
>>example.com is my domain name) which points to my firewall's external IP, then I configure my
internal clients to use
>>machinename.firewall.example.com -- When they're internal, the DNS
>>forwarder takes care of it, when they're external they get the
>>firewall's external IP.
>>
>>This works, but it means that when I move a service from one internal IP to another, I not only
have to update m0n0wall but also every
>>internal machine.
>>
>>
>I don't mean to sound thick, but say what? I don't get it...
>
>
Okay, I'll try to make more sense.
The problem is that firewall.example.com has one IP externally, but
different ports point to different 192.168.x.x IPs internally. PCs that
live outside my firewall for their whole lives (machines at other
locations) can always use firewall.example.com without difficulty and
m0n0wall gets the traffic to the right place.
Machines that always live inside my firewall for their whole lives
(desktop machines here) can use mail.internal.example.com which always
points to the correct LAN IP.
The problem is the laptops which roam between my network and the rest of
the world. If they use the "internal" hostname, they can't get to mail,
the internal FTP, or any other resources when they're roaming unless
they VPN. Having them VPN seems like a big pain in the butt since the
ports they need are already open without a VPN (and the VPN is yet
another potential security hole)
As a workaround, I've come up with the following:
On my public DNS servers, I have a DNS record of *.firewall.example.com
which points to my external IP address.
I have users use ftp.firewall.example.com to access my FTP server,
mail.firewall.example.com to access the mail server,
www.firewall.example.com to access the www server. These all point to
the same external IP (m0n0wall's IP).
So, why not just use firewall.example.com?
Well... When they're inside my network, the IP for FTP, mail, www are
different internal IPs -- I use m0n0wall's DNS relay to "adjust" these
known hostnames to their internal NAT'd IPs.
This is a slightly convoluted workaround, but to my knowledge it's the
only way to handle machines which are sometimes inside and sometimes
outside, at least until/unless m0n0wall gets some form of bounce or
internal-NAT functionality.
>Also, it is not a good idea to advertise to the world ***HERE IS MY
>FIREWALL***. Security through obscurity.
>
>
I don't actually call it "firewall", but it's a better example then
having to explain my naming scheme in addition to a potentially
convoluted explaination.
--
They call it "PMS" because "Mad Cow Disease" was already taken